Why Security Configuration Management (SCM) Matters

In the Godfather Part II, Michael Corleone says, “There are many things my father taught me here in this room. He taught me: keep your friends close, but your enemies closer.” This lesson Vito Corleone taught his son Michael is just as applicable to IT security configuration management (SCM).

Faster breach detection

Today’s cyber threat landscape is extremely challenging. This is highlighted by the length of time it takes to detect a breach. The gap from a breach to detection is still lingering at 205 days, according to Mandiant. Two hundred five days is nearly seven months, and that is a lot of time for your enemies to wreak havoc on your network.

So where does an organization start to “keep their enemies closer?” The SANS Institute and the Center for Internet Security recommend that once you inventory your hardware and software, the most important security control is secure configurations.

What is Security Configuration Management?

The National Institute of Standards and Technology (NIST) defines security configuration management as “The management and control of configurations for an information system with the goal of enabling security and managing risk.”

Attackers are looking for systems that have default settings that are immediately vulnerable. Once an attacker exploits a system, they start making changes. These two reasons are why security configuration management tools are so important. SCM can not only identify misconfigurations that make your systems vulnerable but can also identify “unusual” changes to critical files or registry keys.

With a new zero-day threat revealed almost daily, signature-based defenses are not enough to detect advanced threats. To detect a breach early, organizations need to understand not just what is changing on critical devices but also be able to identify “bad” changes. SCM tools allow organizations to understand exactly what is changing on their key assets.

By setting a gold standard configuration for your systems and continuously monitoring for indicators of compromise, organizations can quickly identify a breach. Early detection of a breach will help to mitigate the damage of an attack. Using SCM to enforce a corporate hardening standard like CIS, NIST and ISO 27001 or a compliance standard like PCI, SOX or HIPAA provides the ability to continuously harden systems to reduce the attack surface. Hardened systems provide less opportunity for the bad guys to launch a successful attack.

Your Security Configuration Management Plan in Action

Without a security configuration management plan, the task of maintaining secure configurations even on a single server is daunting; there are well over a thousand of ports, services and configurations to track. If you multiply those same ports, services and configurations across your entire enterprise of servers, hypervisors, routers, switches and firewalls, the only way to track all of those configurations is through automation.

A good SCM tool automates those tasks for you and provides deep system visibility at the same time. The moment your system becomes misconfigured, you should be notified and offered detailed remediation instructions in order to bring the misconfiguration back into alignment. There are four key stages to robust SCM:

1. Device discovery

First, you’ll need to find the devices that need to be managed. Ideally you can leverage an SCM platform with an integrated asset management repository. You will also want to categorize and “tag” assets to avoid starting unnecessary services. Engineering workstations, for example, require different configurations than finance systems.

2. Establish configuration baselines

You will need to define acceptable secure configurations for each managed device type. Many organizations start with the benchmarks from trusted establishments like CIS or NIST for granular guidance on how devices should be configured.

3. Assess, alert and report changes

Once devices are discovered and categorized, the next step is to define a frequency for assessments. How often will you run a policy check? Real-time assessments may be available but are not required for all use cases.

4. Remediate

Once a problem is identified, either it needs to be fixed or someone needs to grant an exception. You are likely to have too much work to handle immediately, so prioritization is a key success criterion. You will also need to verify that expected changes actually took place for the audit.

High-visibility dashboarding: You’ll want user-selectable elements and defaults for technical and non-technical users. You should be able to only show certain elements, policies, and/or alerts to authorized users or groups, with entitlements typically stored in the enterprise directory.

Policy creation and management: Alerts are driven by the policies you implement in the system, so policy creation and management is also critical to adapt the solution to the unique requirements of your environment.

Alert management: Time is of the essence during any response, so the ability to provide deeper detail via drill down then provide information to an incident response process is critical. This allows administrators to monitor and manage policy violations which could represent a breach.

The security configuration management process is complex. But if you’re using the right SCM tool, the bulk of the work will be handled for you through automation. Using a corporate hardening standard and creating the baseline to identify changes to that standard is a great way to “keep your enemies closer.” Vito Corleone would be proud.